Posted
by
EditorDavid
on Sunday January 14, 2018 @10:39PM
from the taking-the-money-and-running dept.

An anonymous reader quotes BleepingComputer:
Unknown hackers (or hacker) have hijacked the DNS server for BlackWallet.co, a web-based wallet application for the Stellar Lumen cryptocurrency (XLM), and have stolen over $400,000 from users' accounts. The attack happened late Saturday afternoon (UTC timezone), January 13, when the attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to their own server. "The DNS hijack of Blackwallet injected code," said Kevin Beaumont, a security researcher who analyzed the code before the BlackWallet team regained access over their domain and took down the site. "If you had over 20 Lumens it pushes them to a different wallet," Beaumont added...

According to Bleeping Computer's calculations, as of writing, the attacker collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate. The BlackWallet team and other XLM owners have tried to warn users via alerts on Reddit, Twitter, GitHub, the Stellar Community and GalacticTalk forums, but to no avail, as users continued to log into the rogue BlackWallet.co domain, enter their credentials, and then see funds mysteriously vanish from their wallets.

Unless he finds a bigger fool to sell it too before the bubble bursts.

Yes I am sad I didn't get in on this bubble at the beginning but not that sad. Let's face it: Bitcoin is no longer behaving like a currency. It's now a speculative game like tulips.

Alas I am late to this game and you should never enter a market when it looks like the bubble is about to burst. Not that sad anyway because it's a gamble. If you're kicking yourself for missing the Bitcoin bubble why not invest in some other cryptocurrency now? Yeah. I thought so.

Who the fuck modded up the parent comment?! It's a perfect example of how dumbed-down Slashdot has become lately, and how this dumbing down results in fucking idiotic comments, like the parent comment, getting incorrectly modded up.

DNS and TLS are separate, independent technologies.

One or more DNS requests will be made prior to a HTTP connection, encrypted or not, being made to a web server.

HTTPS certificates and encrypted HTTP connections can't do a damn thing about a DNS server returning an incorrect resu

Public key pinning has been deprecated due to being better as a DDOS vector than as a protection method and will be gone from future Chrome. What's left is HSTS which is so negligable for these cases (why are you even listening to port 80?) that parent is right.

You can add a HSTS header to your HTTPS website to prevent later hijacking, provide the user has previously accessed to the website. And you can always preload the HSTS policy of your website to the SOURCE CODE of common web browsers (If you have a mission-critical website and haven't done this yet, apply it at https://hstspreload.org/ [hstspreload.org]). In addition, Firefox (since

I'm actually wondering.With https://letsencrypt.org/ [letsencrypt.org] letting you automagically get a SSL cert that is trusted by the browsers without warnings wouldn't anyone with control over your domain be able to look good for most browsers?

DNSSEC is supposed to handle this. DNSSEC would mean as long as the domain name registration (and thereby key registration with the parent domain) was safe, they wouldn't have been able to generate new DNS entries without signing them, so they couldn't have done anything with the dns server they hijacked.Of course if they managed to get control of the DNS registration then that's another issue.

the payoff for this is just too small to be worth their effort. personally I would hazard a bet at either an inside job or a lone individual. The risks vs payoff are just to small for the more significant parties to be involved.

WannaCry was hugely disruptive, this by comparison is a blip that affected almost nobody. It also is only 400k PRIOR to laundering, the process of laundering and extracting that money will take a huge chunk out of it.

The point of both was to obtain money. $400,000 is a pretty good haul for limited work. What do you think the average take was for wannacry? I doubt it was $400,000. I doubt laundering it will be a big challenge for North Korea, North Korea is a criminal enterprise in itself. It is possible they won't have to do much if they plug it back into criminal activity on the dark web.

Let's be honest, it is all about dishonesty. What is the nature of the current cryptocurrency market, it's dishonesty, about cheating taxes, about ponzi scheme, it's about funding criminal operations, not all of it but well and truly sufficient of it to attract criminals to it in droves. That means criminal investors, criminal business and criminal employees. With regard to fraud in that environment, look not further than it's own members. First suspect in all cryptocurrency frauds, have to be it's employee

So with most crypto currencies having a public, distributed ledger, how do thieves expect to pass off their stolen crypto coins? The ledger would clearly show any transfers to other wallets, would it not? So theoretically could the thieves be "id'd" in some fashion when they try to sell the coins to other users? I realize the ids are just hashes, but still if the exchanges have backups, they should be able to at least identify the stolen wallet ids, wouldn't they? While it might not be able to prevent t

It's completely possible to:a) steal cryptocurrencyb) sit on itc) wait for statute of limitations for relevant crimes to run outd) then transfer it safely, knowing noone is paying attention any more or can do anything. if you stole enough, it's POSSIBLE the blockchain would get forked just to spite you... but probably not

I wonder how many thieves have made a fortune doing this, by virtue of the cryptocurrency exploding in value after the theft

Other methods if you can find a vendor that accepts bitcoin is you buy easily sold virtual goods like gift cards, game or software keys etc which then then hock to a one of the dodgy resellers like those on reddit. sure you lose a large chunk of what you stole but you get the money clean with a very long and difficult trail to track down.

The truly amusing part, if they decide to take the software key disposal method, is that some of those that got robbed may actually be funding the criminals that robbed them.